Hello:<br><br>Firefox <a href="http://2.0.0.3">2.0.0.3</a> (at least in windows) *seems to be vulnerable*. I don't remember exactly what it did but it behaved in a strange way I believe some file handle was left open and had to kill it the hard way. I don't know what they say in the docs but if it ends up calling the user32 function and that's all it takes to trigger the bug. I was taking a peek at it's import tables and It imports from User32 the function LoadCursorA maybe that could be the guilty one.
<br><br>anyway test here and see what happens (that link is from dev code)<br><br><a href="http://sicotik.com/ink/test.html">http://sicotik.com/ink/test.html</a><br><br>I'm not vulnerable anymore since quite some time ;) and I don't have much time to test right now
<br><br>Regards<br>Waldo<br><br><div><span class="gmail_quote">On 4/8/07, <b class="gmail_sendername">Michal Majchrowicz</b> <<a href="mailto:m.majchrowicz@gmail.com">m.majchrowicz@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi.<br>There are more and more reports about FF and ani vulnerability.<br>There was already a presentation of working exploit.<br>The thing starts to annoy me and since I am far away from any windows<br>I wanted to share some of my speculations.
<br>According to docs two things are obvious:<br>1) Firefox doesn't support ANI cursors<br>2) ANI is just few cur cursors packed together and presented as an animation.<br>So i have three possible ways of exploiting it:
<br>1) Since ANI files are vulnerable then maybe cur files are also<br>vulnerable. Firefox does support CUR files.<br>2) If firefox doesn't support ANI files it only means it doesn't<br>render them. It doesn't mean it will not acept them in any way:)
<br>3) Maybe it is possible to rename foo.ani and rename it to foo.cur.<br>Then FF will call win api with this cursor. Windows API will recognize<br>this as ANI file and call vulnerable function .<br>As I said before these are just speculation. I hope someone will be
<br>able to confirm or prove that some of them (or all) have no sense.<br>Happy Easter to everyone.<br>Regards Michal.<br><br>On 4/4/07, Peter Ferrie <<a href="mailto:pferrie@symantec.com">pferrie@symantec.com</a>> wrote:
<br>> >That's correct, Firefox doesn't support ANI files for cursors.<br>><br>> Right, and it doesn't need to, because cursors are not the only way to reach the vulnerable code.<br>> Icons can do it, too.
<br>><br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br>><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>